We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

A new fraud: the impersonation of CEOs

One of the newest trends in fraud is the impersonation of a senior executive, such as a CEO, to induce an employee to bypass the usual procedures and transfer company money to a fraudulent recipient. CEO fraud preys on cultural and linguistic gaps between trading partners, and has become particularly common in trade between China and the United States. This is despite the fact that China requires all adults to obtain resident identification cards, and despite bank requirements that a resident ID be presented when the account is opened.

Once Chinese nationals reach 16 years of age, they are legally required to obtain resident identification cards, which permanently assign a unique 18 digit number to each individual. These cards also contain biometric data that is electronically administered by the Chinese public security bureaus (the police). This ID card system gives the Chinese authorities tremendous capacity to track and manage the population of 1.3 billion people. A Chinese person would, for example, have trouble purchasing high speed train or airline tickets without his or her ID card, and of course cannot open a bank account without one.

There are a number of other tight controls in place, including those relating to the movement of foreign currency. Any foreign company that establishes a subsidiary in China must remit foreign currency as the subsidiary’s registered capital to a designated capital account before the funds can be converted into local currency for business expenses. Foreign currency loans made by a foreign parent company to a Chinese subsidiary must be remitted to a designated loan capital account. The loan can only be used for the business purposes stated in the loan application to the foreign exchange authority, known as the State Administration of Foreign Exchange. Chinese companies that need foreign currency to meet foreign contractual obligations, or are paid by overseas clients in foreign currencies, must apply to a licensed bank for the settlement of Renminbi with the foreign currency. Chinese individuals face strict limits (currently set at US$50,000 per year) in the amount they can exchange or remit abroad, and these transactions require an explanation of their purpose.

As a result of the strict foreign exchange controls and the highly sophisticated ID card system, fraudsters face serious challenges in moving funds away from the rightful recipients and into their own accounts. Nevertheless, they have found ways to get around these measures.

How they do it

Perpetrators of CEO fraud have found and exploited a gap in China’s currency controls: the China-based offshore bank account. Since 2002, the People’s Bank of China (PBOC), the central bank of the PRC, has licensed four banks (the Bank of Communications, China Merchants Bank, Ping An Bank and Shanghai Pudong Development Bank) to offer China-based, “offshore” bank accounts to offshore companies and foreign nationals. In an exception to the otherwise omnipresent currency controls, a bank account of this type allows its holder to freely move foreign currency out of China.

To open an offshore account, an individual must present foreign documentation such as an offshore company registration certificate and the company director’s passport, or another document that demonstrates the individual’s residency rights outside the mainland. For these reasons, neither the strict foreign exchange controls, nor the ID card system can impede the flow of criminal proceeds, nor can it assist with tracking down the criminals who opened the account.

The unique Wenzhou situation

Anecdotal evidence suggests that a high proportion of attempted CEO fraud originates from, or at least involves bank accounts registered in, the city of Wenzhou in Zhejiang province. In order to analyse the problem of CEO fraud as a whole, and the ways in which it may be reduced, it is important to understand why this might be the case.

Situated to the south of Shanghai, Wenzhou is the third largest city in Zhejiang, with around three million inhabitants. It is widely known as a city of entrepreneurs and one of the cradles of China’s private sector economy. It is also the source of a particularly large proportion of emigrants. Its particular tradition of emigration may have been nurtured by its relative isolation from the rest of China as a coastal city with a mountainous interior.

Emigrants who now live now overseas, and those who have returned with overseas identities or resident rights, potentially provide Wenzhou with easier than usual access to the foreign identity documents required to set up an offshore bank account either in their own name, with stolen papers, or with the collusion of the owner of the papers.

Successful CEO fraud also involves being able to predict with some accuracy how a potential victim will react to the situation manufactured by the fraudster. Reactions to such situations, vulnerabilities, and common sense are all shaped to a great extent by cultural norms. Having experience of living and working outside mainland China is crucial to developing an understanding of how foreigners may react to situations outside, as well as inside, the PRC. A comparative analysis of what constitutes common sense in China and other countries is beyond the scope of this article, but it is difficult to dispute that the cultural norms of Chinese culture diverge widely from norms outside Asia.

With its combination of easy access to foreign identity papers, and an understanding of foreign behaviour, Wenzhou offers both ease of opening a foreign currency offshore bank account, and a level of cultural knowledge vital to committing this type of fraud.

Banking control failures

The China Banking Regulatory Commission (CBRC) mandates that, in order to open an overseas bank account, the prospective account holder must present one or more forms of non-PRC identification. This may be the first problem with the system. With around 200 countries and territories in the world, it is unrealistic to expect local bank staff to be familiar with all the possible forms of non-PRC identification with which an applicant may validly open an account. It is equally unrealistic to expect them to be able to distinguish the genuine and valid papers from those that are fake or stolen.

This problem is compounded by the lack of ability to cross-check identities through electronic systems. Even though Chinese banks have access at some level to PRC identity cards, household registrations and other data, they have no such access to similar data from overseas.

Furthermore, local people may collude in the misuse of their identification documents, either as a favour, for a fixed payment, or for a proportion of any gain. In doing so, they know that they may pose as the victim of identity theft rather than as an accessory to fraud. In reality there is little possibility that they will be caught or sanctioned.

National failures

Chinese and international legal and structural factors also militate against the effective countering of CEO fraud.

The victim of CEO fraud, usually resident outside the PRC, is rarely a customer of the Chinese bank to which funds are fraudulently remitted. Since the foreign victim had no contractual relationship with the Chinese bank, the bank owes no contractual duty to the foreign entity, and suing the bank would not be a solution to the problem.

It is similarly unreasonable for the victim to sue the Chinese bank. China’s first codified national civil law came into force on 1 July 2010. It contained a number of innovations, including setting out a list of civil rights and interests to be protected, of which the right to property is one. In the absence of any prior relationship between the foreign party and the Chinese bank, it is difficult or impossible to establish the duty of care that, under Chinese law as well as in other jurisdictions, is the fundamental basis for the protection of victims from theft.

The CBRC is the only government body with undisputed authority to instruct Chinese banks or subject them to a penalty. It is not clear, however, how much the CBRC considers combating CEO fraud as a regulatory priority. There doesn’t appear to be a huge appetite to address it at the moment.

The fragmentation of government, administrative and enforcement structures in China also makes it difficult for foreign victims to seek help in CEO fraud cases. The fraudsters typically open multiple accounts across China in order to quickly channel the criminal proceeds. It is not realistic to expect the Chinese police to collaborate across jurisdictions quickly enough to catch the fast-moving funds, which literally move at the speed of light. The Chinese police force, like any national police force, has to prioritise its efforts and work within limited resources. The police may not place a high priority on time-consuming, linguistically-challenging efforts to chase funds on behalf of foreign corporate victims.

Another problem is that, despite the imposition of tougher measures against money laundering and other financial crime throughout the world in recent years (including in China), there is currently no treaty or international law specifically drafted or intended to counter cross-border CEO fraud.

Solutions

In the event of being hit with CEO fraud, a company’s first action should be a request to the bank to recall the payment. If it is too late to recover the money, the company needs to move quickly to report the crime to the law enforcement authority in the location of the bank account set up by the fraudsters. Crime reporting involving foreign victims can be a long process in some countries, as the local law enforcement wants the foreign victim to first document its identity before they can act on the matter. An experienced local law firm can expedite this process.

The most effective response to CEO fraud, however, lies in preventing erroneous payments from taking place in the first place. The common feature of this type of fraud is that they all take place in the virtual world. Communications via the internet are manipulated by criminals to create certain impressions on the victim companies’ financial personnel. Those financial personnel are led to believe that transactions are taking place under special circumstances that warrant circumvention of normal payment protocols. Once these personnel are convinced that the situation is legitimate, the rest is easy for the criminals.

Companies sending payments overseas should therefore educate their financial staff on the risks of international fraud. International companies should adopt a strict protocol that requires at least two people to sign off payments exceeding a certain threshold. Employees should be alert to any change in a payee’s contacts , their e-mail or street addresses, and banking information.

They should always verify the identity of the person requesting the payment and authenticate the identity and banking information of their overseas payees by two different communication channels, using pre-authorised contact details. When a payee provides its banking information for payment purpose, the information should be checked to ensure it comes from a person who has the authority and has sent the information via a correct, authorised e-mail address or fax number.

For example, in China, while many Chinese companies and their staff use English names to communicate with international counterparties, officially registered company names or individual names are only in Chinese. Best practice for working with Chinese companies is to request a copy of their business licenses and certificates of organisational ID. Without these, businesses could be misled by English names to sending payments to fraudulent companies.

Fraud is essentially a mind game. Prevention of fraud ultimately relies on increasing awareness and enhancing scrutiny within target companies.

A version of this paper was first submitted to the 33rd Cambridge International Symposium on Economic Crime, Jesus College, Cambridge, September 2015.